Technology—Property provides information on current technology and microcomputer software of interest in the real property area. The editors of Probate & Property welcome information and suggestions from readers.

The Right to Information Privacy

Although the debate over a general right to privacy remains contentious and captures most citizens' attention, the question of how advances in technology could erode a more specific right to information privacy remains unanswered. This is unfortunate because public and private organizations now collect more data about more citizens than ever before and can easily share that information with other organizations and governments. This article explores some of the major protections for information privacy in the United States. Although many of these safeguards technically apply only to federal agencies, it is suggested that all entities that collect and store personal information use these requirements as a starting point to enhance privacy and security protections over client data.

The foundations for information privacy regulations began with the Privacy Act of 1974, Pub. L. No. 93-579, codified at 5 U.S.C. § 552a. Passed by the federal government four months after the Watergate scandal culminated with the resignation of President Nixon, the Privacy Act placed new requirements on federal agencies in the handling of personal data. These requirements emphasized three major areas: appropriateness, access, and safeguards. For appropriateness, the Act identified what types of data collection were appropriate and how that data could then be used after collection. The Act mandated that federal agencies collect only private data necessary for the completion of agency tasks as identified by statute or executive order. Initially at least, this meant that federal agencies collected information about citizens only that was absolutely necessary. Extraneous data was not collected because the collection of the data posed a risk that the agency might use the data in an inappropriate manner and open itself up to potential remedies from aggrieved parties.

The Act also explained access parameters. It specifically required that agencies allow citizens to view their own data records and correct inaccuracies in their data records and mandated that an agency could only disclose a person's data records to other entities with prior written consent. The Act, however, listed a number of exceptions to these parameters so that agencies could continue to use data records for daily governmental operations. For example, the Act allowed an agency to disclose records without consent if (1) the data was subject to Freedom of Information Act (FOIA) requests; (2) the agency needed the data to engage in routine operations; (3) the Census Bureau or other agencies required the data as part of census reporting, archiving, or statistical research; (4) law enforcement authorities needed the data record or a court ordered the data released; or (5) other entities like consumer reporting agencies had a compelling interest, grounded in law, to access the data records. To help protect information privacy in data records, the Act also mentioned security safeguards. It mandated the establishment of administrative, technical, and physical safeguards to ensure data confidentiality and security.

Although not testing the constitutionality of the federal Privacy Act, the case of Whalen v. Roe, 429 U.S. 589 (1977), further helped explain the limits and powers of government in the collection of private data. In that case, the New York state government enacted the New York State Controlled Substances Act of 1972, which mandated that the state collect copies of prescriptions for potentially dangerous and addictive pharmaceutical drugs in an effort to prevent drug abuse and prescription shopping. The Act required the completion of a form that identified the drug and its dosage, the physician that prescribed the drug, the pharmacy that dispensed the drug, and the name, address, and age of the patient. After completion, a copy of the form was filed with the State Health Department and recorded on data tapes for computer processing and stored for a five-year period.

In Whalen a group of physicians and patients challenged the New York Act, contending that the completion of the form and storage of patient data by the state government violated the constitutionally protected privacy of the doctor-patient relationship. Ultimately, the U.S. Supreme Court found that the collection and storage of this type of data did not intrude on a zone of privacy and was allowed because of the limited number of Health Department officials who had access to the data and the strict security guards surrounding the data. Writing for a unanimous Court, Justice Stevens detailed the security protocols surrounding the data:

[The forms are] surrounded by a locked wire fence and protected by an alarm system. The computer tapes containing the prescription data are kept in a locked cabinet. When the tapes are used, the computer is run "off-line," which means that no terminal outside of the computer room can read or record any information.

429 U.S. at 594. Those stringent safeguards, plus the fact that the collection of data was needed to help solve the policy problem of drug abuse, and the fact that only 17 state health department officials had access to the data, meant that the collection of the data did not intrude on the privacy rights of citizens. But, in an ominous warning written in a concurring opinion, Justice Brennan noted that

The central storage and easy accessibility of computerized data vastly increase the potential for abuse of that information, and I am not prepared to say that future developments will not demonstrate the necessity of some curb on such technology.

Id. at 607. Although Justice Brennan did not explicitly define those hypothetical curbs on technology in his concurring opinion, given the facts of Whalen, the curbs would probably include restricting the collection of personal data and the central storage of personal data. That is, if government could not sufficiently control access to data collected on citizens, then it should stop using technology to collect personal data and store personal data in a centralized location.

By the late 1980s, the implications of Justice Brennan's concurring opinion became even more important. More computers started to become networked and connected to other computers, even computers containing sensitive data like in the Whalen v. Roe case. This allowed agencies to easily match and compare one individual's data across organizational boundaries. For example, in an effort to become more efficient, policymakers started to require that certain federal and state programs match data across databases to make sure that errors and corruption did not occur in the implementation of certain need-based programs. Simply keeping sensitive data files in "locked cabinets" or behind "wire fences" (as mentioned in the Whalen v. Roe case) was no longer an option. As a result, policymakers updated the Privacy Act in 1988 with the Computer Matching and Privacy Protection Act, Pub. L. No. 100-503, codified at 5 U.S.C. § 552a. This Act required agencies to notify those affected by data matching; to have a data integrity board that monitored data matching efforts; to have written agreements when engaging in data matching; and to verify the accuracy of the data match before taking any action.

Although these acts only applied to federal agencies, they implicitly established a system for both public and private organizations to protect information privacy. Now, almost all organizations require some types of administrative, physical, and technical safeguards to protect information privacy. In 2009, these safeguards are no longer physical. With the rise of networked data systems, the Internet, and organizational intranet systems, physical safeguards like "locked cabinets" and "wire fences" are no longer applicable. Instead, to protect information security, data is securitized.

Data securitization can mean many things, but generally it consists of internal and external controls over data access. Internal controls consist of technical safeguards like password-protected terminals and firewalls that prevent outsider access to internal data. External controls emphasize data transmission and in some ways are much harder to design and implement. For example, external controls would emphasize data encryption as the only method to transmit private data over the Internet from one location to another. This type of data encryption would typically use a public key infrastructure (pki) whereby a third party would issue private digital certificates that could be used to encrypt and then decrypt data.

The real difficulty in establishing external controls, however, is maintaining data security as the physical ease of data mobility increases. With the rapid ascent of laptops and flash-based memory devices, workers can now store entire databases of private data on drives as small as a human finger and then take that data outside of the physical safeguards of the organization to external locations like conferences and home offices in a way that would have been unthinkable during the Whalen v. Roe era. And this creates problems because laptops and small flash-based memory devices are easily lost or stolen. As a result, organizations have started to implement secondary external controls for laptops or flash devices that mandate passwords or biometric protocols (such as fingerprint scans) to open a device with private data on it.

But even with these types of safeguards, is data truly private in 2010? Or does the mass proliferation of networked computers, small storage devices, and the Internet mean that the right to information privacy is permanently eroded, at least compared to what it once was in the Whalen v. Roe era when physical safeguards like "locked cabinets" and "wire fences" were seemingly enough to protect the right to information privacy? As a result, even with appropriate safeguards, information privacy is not as secure as it was over 30 years ago. For example, password-protected data sites are increasingly compromised by hackers, and laptops and flash-based memory devices with sensitive data are commonly misplaced and mishandled. This leads to a somewhat troubling conclusion. At some point, public and private organizations may have to follow Justice Brennan's advice from over 30 years ago and start putting strict limits on technology to help ensure information privacy. Although this may compromise the enhanced efficiency and usability of multiple data records that we are all so used to today, it would help ensure that the right to information privacy continues into the future.